SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation
A high-severity SharePoint Server flaw enabling remote code execution through deserialization of untrusted data was added to a federal known-exploited-vulnerabilities catalog after evidence surfaced that attackers are actively exploiting it. The bug, patched in May but only now confirmed under active attack, lets an authenticated user with minimal permissions run code remotely, and federal civilian agencies have been ordered to apply the fix by July 4. The disclosure follows a separate investigation that found two unrelated threat actors operating simultaneously inside one compromised network, each using distinct tools and persistence techniques that complicated efforts to determine the full scope of the intrusion.
DHS Confirms Hackers Breached HSIN Info-Sharing Platform
An unidentified threat actor breached a sensitive information-sharing platform used by federal, state, local, and private-sector partners to coordinate on security incidents and threats, with the intrusion believed to have occurred between late May and early June. Investigators have not yet attributed the attack or confirmed whether documents were stolen, though the compromised network is also used to coordinate safety and security around major public events, raising concerns about exposed planning details. Officials say classified systems were not affected and that the impacted environment was isolated once the incident was discovered.
FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks
A large-scale credential-harvesting operation that has targeted more than 430,000 firewalls across 150 countries since February has been tied directly to two active ransomware operations, with researchers finding a single operator logged into both groups’ negotiation panels using infrastructure traceable back to the campaign. The attackers deployed a network sniffer to capture cleartext credentials and password hashes passing through compromised devices, ultimately harvesting more than 110 million credentials and gaining full domain administrator access on hundreds of targets. Twelve of those intrusions have already resulted in ransomware deployment, encrypting hundreds of endpoints across the affected organizations.
Criminals Pose as Interpol in Phishing Emails to Deliver Ransomware
A phishing campaign is impersonating international law enforcement to pressure small businesses across Europe, Asia, the Middle East, and North America into opening a supposed evidence file tied to fraudulent activity. The message directs recipients to a password-protected file hosted on a cloud storage service that actually contains an executable disguised as a video, which deploys ransomware once run. Rather than naming a fixed ransom amount, the attackers instruct victims to make contact over an encrypted messaging service, suggesting they negotiate demands based on a target’s size and perceived ability to pay.
DHS to Unveil Replacement Council for Critical Infrastructure Cybersecurity
The Department of Homeland Security is reviving a cybersecurity information-sharing partnership with critical infrastructure operators more than a year after the previous advisory body was dissolved, leaving power, water, and telecommunications owners without a formal channel to coordinate on threats with federal agencies. The new council will be managed directly by the federal cybersecurity agency, which will select industry participants itself rather than letting the private sector self-organize as before, and its meetings will be exempt from public transparency requirements given the sensitivity of the material discussed. Lawmakers and former officials welcomed the restoration of the partnership while raising questions about how membership and influence will be distributed among participants.